WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2018-1000616 Vulnerability in maven package org.onosproject:onos-cli

Description

ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\drivers\utilities\src\main\java\org\onosproject\drivers\utilities\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity.

Remediation

References

https://gerrit.onosproject.org/#/c/18894/

http://gms.cl0udz.com/Openconfig_xxe.pdf

Related Vulnerabilities

CVE-2021-23330 Vulnerability in npm package launchpad

CVE-2021-20086 Vulnerability in npm package jquery-bbq

CVE-2022-22138 Vulnerability in npm package fast-string-search

CVE-2021-32860 Vulnerability in maven package org.webjars.npm:izimodal

CVE-2021-3629 Vulnerability in maven package io.undertow:undertow-core

Severity

Critical

Classification

CWE-611 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Issue Tracking Third Party Advisory